OC Versione 3.0.3.1
Tracing the IP of the visitors found that they come from all over the world.
Only a Chinese viewer always tries to attack me with this link https://www.mysite.it/skin/adminer-3.3.2.php.
Do I have to worry? can I block the Chinese visitor's IP?
What you suggest to me? Thanks a lot
they will all add to overall Admin Security:
Simple Login Security (Very simple solution, I use such a Mod for a long time already)
If you want to make your administrator login page more private, this extension is just for you.
Functionality:
- Login page is accessible only with custom secret code
(http://yourwebsite.com/admin/?passkey=YourPassword)
- Custom pass key and password
- Post'ed login info from other url wont be accepted without YourPassword
Simple but strong security enhancement. Using this extension you will disable login page access to everyone but yourself.
https://www.opencart.com/index.php?rout ... n_id=21371
---
False Admin Login Security ( Change the Lockout period to whatever time you want, to keep 'em out for good)
Do you want to secure your store Admin login? Do you want to limit your Admin login attempt? Just install False Admin login Security extension and configure it. that's all.
https://www.opencart.com/index.php?rout ... n_id=39292
---
Opencart Security Admin Whitelist Access ( Allows access only to listed IP's)
Whitelisting is the practice of explicitly allowing some identified entities access to a particular privilege, service, mobility, access or recognition. It is the reverse of blacklisting. Many network admins set up IP address whitelists, or a IP address filter, to control who is allowed on their networks / applications / servers.
https://www.opencart.com/index.php?rout ... n_id=37806
---
In addition to keep some IP's out, use your SHOP .htaccess file, to at best lock out entire Blocks, I so far lock
out ~1'840 Ranges/Lines, totalling in more than 650'000 IP's, in my 113 KB ! .htaccess file, and it has no negative
effect on overall performance! Just make sure, not to block potential Customer IP Ranges, or even yourself!
Use something like this, to check (full) IP numbers: https://whatismyipaddress.com/ip-lookup
Code: Select all
## Ernie's OpenCart .htaccess File Juli-21-2020
Options +SymLinksIfOwnerMatch
Options -Indexes
LimitRequestBody 750000
(FROM HERE:)
<Files *>
order allow,deny
deny from 1.20.100.
deny from 1.20.220.
deny from 1.25.110.
deny from 1.31.97.
deny from 1.32.
deny from 1.49.47.
deny from 1.53.137.
deny from 1.70.76.
deny from 1.83.28.
deny from 1.83.127.
deny from 1.189.193.
deny from 1.194.83.
deny from 1.194.87.
deny from 1.198.28.
deny from 2.56.241.
deny from 2.56.242.
deny from 2.58.
deny from 2.59.
...
...
...
...
deny from 223.244.152.
deny from 223.244.153.
deny from 223.244.154.
allow from all
</Files>
(TO HERE)
----
Good Luck!
Ernie
PS: Just be aware, that even unallowed Access-Attempts may still show up in Admin Logs, despite of the fact, that they get no access.
They just never display an (Shop-related) Referrer Address in the Logs, and usually one have one Log Entry.
My Github OC Site: https://github.com/IP-CAM
5'200 + FREE OC Extensions, on the World's largest private Github OC Repository Archive Site.
Special attention to your deny from...
So you deny any ip try to connect to admin folder? right?
What about adminer-3.3.2.php? can be dangerous?
Thanks a lot IP_CAM
adminer-* is nothing else than a simple replacement for the phpMyAdmin, see: https://www.adminer.org/en/
What those scriptkiddies are trying to hit this tool.
The number after "adminer-" is the version number.
Currently it seems that they have fun to search for, I for myself have x-thousand tries each day.
No worry about IF YOU HAVE THIS TOOL NOT USED!
Note: adminer can be used a simple replacement for any databasetool (e.g. like phpMyAdmin).
But (!!) it should not be stored any longer when not used anymore.
Better to rename this tool to something else (while also valid here: delete after usage).
Full Stack Web Developer :: Dedicated OpenCart Development & Support DACH Region
Contact for Custom Work / Fast Support.
Well, I deny any IP, accessing my Servers by use of some screwy link-code,So you deny any ip try to connect to admin folder? right?
and since I don't need the whole World to see my Sites anyway.
I lock the entire sub-range, instead of only a specific IP Number, like instead of:
123.456.789.123 - I add: 123.456.789. to the .htaccess file, to make sure, that all
numbers of the last IP-Block are beeing locked out. In some cases, I also
lock out the second+third blocks too, to so have everything blocked, coming
from IP 123.xxx.xxx.xxx !
And if one tries to connect a few times within a few seconds, he will be blocked
temporarely. You may check one of my sites, and if you click on links quite fast,
you will be blocked for a short time, and if one is repeating such multiple times,
he will be blocked for 10 hours, to allow me, to later block them for good.
OC 1.5.6.x offers all those extensions, one reason, to still use it ...
My .htaccess for far contains 1'871 individual DENY FROM Lines, and every single
day, a couple of new denials are added to the file, to keep some BOOZO-Brains out
for good. It's kind of a Game, just like in real Life too ...
And to make double-sure, I also redirect them to Las Vegas too ...
So, anyone else, using the same link content, will be redirected automatically.
Regarding your ADMINER file, I am not quite familiar with it, but I assue, if you
have it password-secured well, there should be no problem. Just check the Web,
to make sure, that you always use the latest (tested) Version, just in Case ...
Good Luck!
Ernie
---
My Github OC Site: https://github.com/IP-CAM
5'200 + FREE OC Extensions, on the World's largest private Github OC Repository Archive Site.
It is very boring because people want to steal your work done with effort and passion.
But very curious for me is the fact that before renaming the admin directory, I didn't see these requests.
Ever since I renamed the directory a lot every day.
A great deal of attention and blocking of IP addresses or entire sub IP families is waiting for me as you do.
Thanks for the accurate and educational response. Very funny the redirect to las vegas
Code: Select all
AuthUserFile /dev/null
AuthGroupFile /dev/null
AuthName "Admin Access Control"
AuthTypeBasic
<LIMIT GET>
order deny, allow
deny from all
#white list IP
allow from xxx.xxx.xxx.xxx
</LIMIT>
Export/Import Tool * SpamBot Buster * Unused Images Manager * Instant Option Price Calculator * Number Option * Google Tag Manager * Survey Plus * OpenTwig
Beware!
This is a solution ONLY if you have a static IP-Address.
If that's not the case (e.g. dynamic IP-Addresses as many providers have), you will lock out yourself.
Full Stack Web Developer :: Dedicated OpenCart Development & Support DACH Region
Contact for Custom Work / Fast Support.
Agree with OSWorX here. The solution mentioned above would need each of the users logging-in to the admin area to have a static home/work IP - which may not always be possible. Instead, you could add another layer of authentication with HTTP Auth. If you're using a cPanel based hosting, open the File manager within the cPanel, navigate to the root of your OpenCart store, right click on the admin folder, select the option "Password protect this directory" and follow the on-screen steps. For non-cPanel based sites, you can create a .htpasswd file with the credentials, and update the .htaccess file in the /admin folder.
--
Ananda
Spreading happiness while securing OpenCart websites with Astra Security Suite
Real-time protection against Credit Card Hack, SQLi, XSS, Malware, Bad Bots & 100+ cyber threats.
@ASTRA Security Suite : Good advise for those who don't use a static IP-address, thanks for posting it.
Export/Import Tool * SpamBot Buster * Unused Images Manager * Instant Option Price Calculator * Number Option * Google Tag Manager * Survey Plus * OpenTwig
Sorry, but again not true.
If static or dynamic IP-Address is not the choice of the developer or business, more the decision of the offered provider packages.
And as long as such package with a static address will cost 50% (or more) than a "standard" access package, I do not see any reason why I should pay such money only to have a "static" address.
Nobody will pay me this price, and I have really no advantage of having only a "static" address.
Full Stack Web Developer :: Dedicated OpenCart Development & Support DACH Region
Contact for Custom Work / Fast Support.
Users browsing this forum: No registered users and 105 guests